THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The first step of deploying HTTPS is to generate the key and the certificate for each machine in the cluster. You can use Java’s keytool utility to accomplish this task.
write into a tmp keystore initiailly so that we can export and sign it later with CA.
| Code Block |
|---|
$ keytool -keystore server.keystore.jks -alias localhost -validity {validity} -genkey |
...
Kafka Broker comes with the feature of listening on multiple ports thanks to [KAFKA-1809](https://issues.apache.org/jira/browse/KAFKA-1809) .
we need to configure the following property in server.properties, which must have one or more comma-separated values
| Code Block | ||
|---|---|---|
| ||
listeners |
This property must have a PLAINTEXT port along with a SSL port. Since we don't have interbroker SSL support yet if we only configure SSL port than with-in broker communication will not work.
Both PLAINTEXT and SSL ports are necessary if SSL is not enabled for inter-broker communication (see below for how to enable it)
| Code Block | ||
|---|---|---|
| ||
listeners=PLAINTEXT://host.name:port,SSL://host.name:port |
...
| Code Block | ||
|---|---|---|
| ||
ssl.protocol = TLS ssl.provider (Optional. The name of the security provider used for SSL connections. Default value is the defaultsecurity provider of the JVM.) ssl.cipher.suites = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a networkconnection using TLS or SSL network protocol." ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1 (list out the SSL protocols that you are goingaccept from clients . Do note SSL is deprecated using that in production is not recommended) ssl.keystore.type = JKS ssl.keystore.location = /var/private/ssl/kafka.server.keystore.jks ssl.keystore.password = test1234 ssl.key.password = test1234 ssl.truststore.type = JKS ssl.truststore.location = /var/private/ssl/kafka.server.truststore.jks ssl.truststore.password = test1234 ssl.client.auth = none ( "required " = > client authentication is required, "requested" => client authentication is requested and client without certs can still connect when this option chosen" )) |
If you want to enable SSL for inter-broker communication, add the following on the broker properties file (it defaults to PLAINTEXT)
| Code Block | ||
|---|---|---|
| ||
security.inter.broker.protocol = SSL |
If you want to enable any cipher suites other than the defaults that comes with JVM like the ones listed here
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html.
One needs to install **Unlimited Strength Policy files** http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Once you start the broker you should be able to see in the server.log
...